Cybersecurity In Financial Services

Europe's launch of a digital wallet is a game changer for #banking and #payments, far beyond than we can imagine. Let’s take a look.   What happened?   On 29 Feb 2024 the EU adopted regulation to launch a European Digital Identity Wallet (EUDIW) that will harmonize #digitalidentity across Europe.   Main provisions:   —   EUDIW is an app allowing citizens to digitally identify themselves, store and manage identity data and official documents in digital form   —   Many wallets in each member state with the same technical standards, UX and functionality   —   Addressing both online and offline public and private services across the EU —   Recognized throughout Europe   —   Voluntary   —   Free for natural persons, businesses may be subject to fees   —   User control over their personal data   —   E-signature   —   EUDIW Toolbox based on the Architecture and Reference Framework (ARF) defining common specifications, referenced in implementing acts (legislative texts) across all EU Member States   —   Pilot projects until 2025 - 360 private companies and public authorities across the EU - testing everyday scenarios   —   Successor of the eIDAS regulation (launched in 2014)   Example use cases:   —   Access or open a bank account —   Perform onboarding process (AML, KYC) —   Initiate a payment —   Apply for a loan —   Submit a tax declaration —   Enroll for university —   Rent a car or book a hotel online —   Strong Customer Authentication   Implications for the #finance industry:   —   EUDIWs will unify all physical documents (IDs, passports, driving licenses, etc) under a digital front layer   —   Financial institutions and online platforms with more than 45 mn users (i.e. Amazon, Facebook) will be obliged to accept EUDIW   —   Banks will not have to maintain anymore their own authentication mechanisms, however the wallet will largely complement and not replace banks’ solutions   —   Service providers, such as PSPs or credit card companies may have to pay for identification services (i.e. to onboard customers)   —   PSD2 authentication requirements will be met via EUDIWs paving the ground for an increase in payment initiation and account information calls and boosting POS-based use cases such as QR code payments or payment initiation at POS   —   A combination with the Digital Euro is almost certain   Players in #financialservices will be influenced across 4 directions:   —   User experience —   Compliance —   Reduction of fraud —   New use cases   Impact:   —   Europeans can save up to 855,000 hours of time and businesses more than €11 bn a year   —   80 % EU citizens' adoption expected by 2030   Timing:   —   Publication in the EU Official Journal – Mar 2024   —   6 - 12 months for Implementing Acts   —   Within 24 months after Implementing Acts, Member States must provide EUDIWs. Organizations must accept them as an authentication method in the following year   Opinions: my own, Graphic sources: European Commission, Innopay, Gataca

API Security: 16 Critical Practices You Need to Know Drawing from OWASP guidelines, industry standards, and enterprise security frameworks, here are 16 critical API security practices that every development team should implement: 1. Authentication Your first line of defense. Implement OAuth 2.0, JWT, and enforce MFA where possible. 2. Authorization RBAC and ABAC aren't buzzwords - they're essential. Implement granular access controls. 3. Rate Limiting Had an API taken down by a simple script? Rate limiting isn't optional anymore. 4. Input Validation Every parameter is a potential attack vector. Validate, sanitize, and verify - always. 5. Encryption TLS is just the beginning. Think end-to-end encryption and robust key management. 6. Error Handling Generic errors for users, detailed logs for systems. Never expose internals. 7. Logging & Monitoring You can't protect what you can't see. Implement comprehensive audit trails. 8. Security Headers CORS, CSP, HSTS - these headers are your API's immune system. 9. Token Expiry Long-lived tokens are ticking time bombs. Implement proper rotation and expiry. 10. IP Whitelisting Know who's knocking. Implement IP-based access controls where appropriate. 11. Web Application Firewall Your shield against common attack patterns. Configure and monitor actively. 12. API Versioning Security evolves. Your API versioning strategy should account for security patches. 13. Secure Dependencies Your API is only as secure as its weakest dependency. Audit regularly. 14. Intrusion Detection Real-time threat detection isn't luxury - it's necessity. 15. Security Standards Don't reinvent security. Follow established standards and frameworks. 16. Data Redaction Not all data should be visible. Implement robust redaction policies. The key lesson? These aren't independent practices - they form an interconnected security mesh. Miss one, and you might compromise the entire system. What's your experience with these practices? Which ones have you found most challenging to implement?

Threat Modeling via LLM's? 🤔 This new research publication discusses using LLMs to automate Threat Modeling - The research focused on banking and financial institutions but could be re-used in other industries and verticals - Used three phases, of dataset creation, prompt engineering, and model fine-tuning - The researchers were able to use organizational data, applications and use cases and automate the creation of Threat Models along with mitigation strategies for potential threats They do point out challenges, such as the lack of publicly available domain-specific datasets, the need to tailor models to specific architectures, and the need for real-time adaptive mitigation strategies. This is a promising example of leveraging LLMs to automate and scale a key activity to building secure and resilient systems while minimizing some historical toil. #ciso #cyber #ai

👍 The בנק ישראל Bank of Israel has published a directive addressed to “Banking Corporations and Licensed Payment Service Providers Chairman of the Board and CEO” on requirements related to cyber risks associated to the development of quantum computing. Highlights: 👉 It is important to prepare the banking system for information security and cyber risks related to quantum computing. 👉 Organizations are required, at a minimum, to: 📌 Raise awareness within the banking corporation, continuously monitor developments in quantum computing, and assess the associated cyber risks Inform all relevant parties within the banking corporation, including the board of directors and senior management 📌 This topic should be discussed periodically in line with technological developments, at least once every two years, and include a review of general developments in quantum computing 📌 Continuously monitor ongoing developments in quantum computing that may impact cyber defense 📌 Integrate quantum computing considerations into the cyber risk management process with the supply chain 📌 Avoid reliance on suppliers and manufacturers that are not preparing for the quantum era 👉 Mapping and Managing Encrypted Information Assets 📌 Map encrypted information assets and processes (Discovery and inventory) 📌 Create a transition plan 📌 Metadata to include in the inventory: - Type of encryption algorithm and key length - Information owner’s details - Systems and applications using the algorithm - Duration for which the encrypted information is valid and must remain encrypted - Sensitivity and criticality level of the information 👉 Development of skills and capabilities 📌 Start preparing to build an infrastructure that will enable the banking corporation to be adequately prepared: 📌 Train employees 📌 Define the resources that will be needed 📌 Assess the compatibility with PQC of the existing infrastructure 📌 Prepare for the transition 📌 Identify affected policy documents and procedures, and plan to update and validate them 📌 Define alternative solutions for cases where systems cannot be converted Organizations are required to develop an initial plan addressing these points. The plan should be discussed by the board of directors and management. 📅 This preparedness plan should be submitted to the Banking Supervision Department within one year from the date of the directive (January 7th, 2025).   This directive reminds the advisory published by the Monetary Authority of Singapore (MAS) on February 2024, although it is more execution oriented, including a deadline. Bank of Israel directive: https://lnkd.in/dQj-dyce MAS advisory: https://lnkd.in/dSbpTuYK #cybersecurity #pqc #quantum #cryptography

The CFO was furious. He had just wired $65,000 to a scammer because he thought he was paying a trusted vendor. It wasn’t a hack. No one broke a firewall. No one cracked a password. It was a classic Business Email Compromise (BEC). The attackers simply asked for the money, and because they looked legitimate, he sent it. His first reaction? "We need better software to stop this." I had to tell him the hard truth: Software can't fix a broken process. Technology alone cannot stop a human from being manipulated. If you rely solely on tools, you are bringing a firewall to a confidence game. We didn't solve this problem by buying an expensive new security appliance. We solved it by rewriting the company's Standard Operating Procedure (SOP). We implemented a simple, non-technical rule: Any request for a wire transfer received via email or text must be verbally verified by a second authorized signer. That one process change (which cost $0 in software licensing) did more to secure their finances than any tool on the market could have. 👇 I've attached the exact SOP template we use. Swipe through to see the specific language you can add to your finance policies today. In my book, Fire Doesn't Innovate, I share tools like this because cyber resilience is about People, Process, and Technology; not just Technology. #BusinessEmailCompromise #CFO #RiskManagement #FireDoesntInnovate #SOP

Would your organization detect a cyberattack before it’s too late? Cyber threats are evolving. A single undetected breach can cost millions. The Global Technology Audit Guide (GTAG) on Cybersecurity Operations helps internal auditors assess how well organizations prevent and detect cyber threats before damage is done. Key areas of cybersecurity operations: ↳ Security in design: is cybersecurity embedded in system planning and governance?  ↳ Prevention: using encryption, antivirus, email filtering, and security training to block attacks. ↳ Detection: monitoring logs, vulnerability scanning, penetration testing, and threat hunting. What internal auditors should do: ↳ Review cybersecurity governance: ensure leadership sets clear policies and oversight. ↳ Assess prevention controls: check if security measures (firewalls, DLP, access controls) are effectively implemented. ↳ Evaluate detection capabilities: verify if monitoring tools and incident response processes identify threats. ↳ Test for gaps: use risk-based audits to detect weak controls before attackers do. ↳ Engage IT & security teams: collaborate with CIOs, CISOs, and security teams for a comprehensive view. ↳ Leverage cybersecurity frameworks: align with NIST, COBIT, and CIS Controls for industry best practices. Source: The IIA. 2025. Auditing Cybersecurity Operations: Prevention and Detection 2nd Edition How is your audit team approaching cybersecurity risks? Let’s discuss 😊

More than half of web traffic now comes from bots. A third of it is malicious. Banks are squarely in the crosshairs. The latest Imperva Bad Bot Report is a wake-up call for financial services. Bot traffic has crossed the 50 percent threshold, with 37 percent of all traffic classified as “bad bots” carrying out scraping, payment fraud, and account takeovers. Nearly 40 percent of API-targeted attacks in 2024 were aimed at the financial sector. Attackers are using generative AI not just to build bots, but to test, learn, and evolve them in real time. These aren’t just scripts. They’re AI-powered agents designed to bypass detection, mimic human behavior, and exploit vulnerabilities at scale. As my colleague Valerie Abend put it: APIs are no longer just the perimeter. They are the supply chain of the bank. Securing them is non-negotiable. Key defenses include: Accurate API inventories and strict authentication protocols Rate limiting, anomaly detection, and threat intel sharing AI-aware web application firewalls and deception tools like honeypots The rise of bad bots isn’t new, but the pace and precision of their evolution is. We need to meet automation with automation, and treat API security as core infrastructure. 📖 Worth the read in American Banker: https://lnkd.in/ep--nQ4x Accenture #CyberSecurity #Banking #GenerativeAI #APIsecurity #DigitalRisk #FinancialServices #AI #BotDefense

🔴 Banks are facing a compounding problem of interconnected risks. Risks are not checklists. They are dynamic and elusive. When banks describe their operating environment as "off the map," something fundamental has shifted. ABA Banking Journal's 2026 risk survey reveals simultaneous disruptions that don't fit traditional risk frameworks - a stress test of institutional assumptions. 𝐓𝐡𝐞 𝐧𝐮𝐦𝐛𝐞𝐫𝐬: 48% of institutions are updating risk appetite statements, 62% investing in scenario analysis. 𝗕𝗮𝗻𝗸𝘀 𝗮𝗱𝗺𝗶𝘁 𝘁𝗵𝗲𝘆 𝗰𝗮𝗻'𝘁 𝗳𝗼𝗿𝗲𝗰𝗮𝘀𝘁 𝘄𝗵𝗮𝘁 𝗰𝗼𝗺𝗲𝘀 𝗻𝗲𝘅𝘁 𝘄𝗵𝗲𝗻 𝗔𝗜 𝗮𝗴𝗲𝗻𝘁𝘀 𝘁𝗿𝗮𝗻𝘀𝗮𝗰𝘁 𝗮𝘂𝘁𝗼𝗻𝗼𝗺𝗼𝘂𝘀𝗹𝘆, 𝗱𝗲𝗲𝗽𝗳𝗮𝗸𝗲𝘀 𝗱𝗲𝗳𝗲𝗮𝘁 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻, 𝗮𝗻𝗱 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝗳𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸𝘀 𝘀𝘄𝗶𝗻𝗴 𝗯𝗲𝘁𝘄𝗲𝗲𝗻 𝗲𝘅𝗽𝗮𝗻𝘀𝗶𝗼𝗻 𝗮𝗻𝗱 𝗿𝗼𝗹𝗹𝗯𝗮𝗰𝗸. 𝐓𝐡𝐫𝐞𝐞 𝐜𝐨𝐧𝐯𝐞𝐫𝐠𝐞𝐧𝐭 𝐩𝐫𝐞𝐬𝐬𝐮𝐫𝐞𝐬: ‣ 𝐓𝐡𝐞 𝐫𝐞𝐠𝐮𝐥𝐚𝐭𝐨𝐫𝐲 𝐥𝐚𝐧𝐝𝐬𝐜𝐚𝐩𝐞 𝐢𝐬 𝐟𝐫𝐚𝐠𝐦𝐞𝐧𝐭𝐢𝐧𝐠. Federal deregulation (CRA rollback to 1995, reconsidering CFPB rules) meets state attorney general enforcement. Banks navigate 50 different enforcement philosophies while documenting every account decision to withstand scrutiny. ‣ 𝐓𝐞𝐜𝐡𝐧𝐨𝐥𝐨𝐠𝐲 𝐜𝐫𝐞𝐚𝐭𝐞𝐬 𝐨𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐥𝐢𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐟𝐚𝐬𝐭𝐞𝐫 𝐭𝐡𝐚𝐧 𝐠𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐤𝐞𝐞𝐩𝐬 𝐩𝐚𝐜𝐞. AI introduces ambiguity—who's liable when an AI agent executes a Reg E transaction? Legacy platforms force M&A among regionals and community banks who can't compete without scale. ‣ 𝐓𝐡𝐞 𝐭𝐡𝐫𝐞𝐚𝐭 𝐬𝐮𝐫𝐟𝐚𝐜𝐞 𝐡𝐚𝐬 𝐞𝐯𝐨𝐥𝐯𝐞𝐝 𝐛𝐞𝐲𝐨𝐧𝐝 𝐩𝐞𝐫𝐢𝐦𝐞𝐭𝐞𝐫 𝐝𝐞𝐟𝐞𝐧𝐬𝐞. Cyber intrusions arrive through vendor pathways, deepfake audio convinces staff to override protocols, sophisticated phishing defeats caller-ID trust. The old playbook of "trust but verify" breaks when verification signals themselves can be synthesized. Here's what makes 2026 different: these aren't isolated risks you can address sequentially. They're interconnected pressures that amplify each other in a dynamic system. AI deployments require clean data, but legacy systems produce messy data. Regulatory uncertainty discourages the technology investments needed to modernize those legacy systems. Cyber threats exploit the integration gaps between old and new infrastructure created during half-finished modernization efforts. Each pressure makes the others harder to solve. This is a compounding problem, not a checklist. Banks that treat 2026 as "business as usual with complications" are misreading the moment. The institutions updating their risk appetite statements are acknowledging something more fundamental—the rules of the game are being rewritten in real time, and nobody handed out the new rulebook. #banking #AI #riskmanagement Link to the article that triggered my analysis in the comments

Key Findings from the 2025 State of #Fraud Report 🔸 Rising Fraud Incidents Across All Sectors: 60% of financial institutions and #fintechs reported an increase in fraud events targeting #consumer and business accounts in 2024. Fraud was predominantly digital, with 80% of events occurring on #online or #mobilebanking channels 🔸 Key Fraud Types: Credit card fraud, identity theft, and account takeover (ATO) #fraud were the most common types of fraud reported. 20% of enterprise #banks ranked check fraud as their most frequent fraud type. 🔸 Financial and Reputational Costs: 31% of organizations experienced fraud losses exceeding $1M in 2024. 73% ranked #reputational damage as the most severe consequence of fraud, followed closely by direct financial losses (72%) and loss of clients (72%). 🔸 Role of Organized Crime: 71% of fraud attempts were attributed to financial #criminals or fraud rings, marking a shift from first-party to third-party fraud. 🔸 Fraud #Detection and Prevention: 56% of financial organizations most commonly detected fraud at the transaction stage, while 33% identified it during onboarding. Real-time interdiction was conducted by only 47% of respondents, highlighting a gap in immediate fraud prevention. 🔸 Fraud Detection Trends: Inconsistent user #behavior (28%) and mismatched personal data (20%) were leading indicators of fraud attempts. Mid-market banks reported the highest incidence of fraud, with 56% facing over 1,000 fraud cases. 🔸 AI and Technology Adoption: 99% of organizations reported using AI in fraud prevention, with 93% agreeing that machine learning and #generativeAI will revolutionize detection capabilities. #AI was predominantly used for anomaly detection (59%) and explaining large datasets for #risk analysis (67%). 🔸 Fraud Prevention Investments: 93% of respondents indicated ongoing #investments in fraud prevention, with identity risk solutions being the most impactful (34%). Top technologies for 2025 include identity risk solutions (64%), document #verification software (49%), and voice/facial recognition systems (38%). 🔸 Regulatory Impact: 62% of organizations plan to increase fraud prevention investments in response to #regulatory scrutiny and potential #reimbursement requirements for fraud losses. Predictions for 2025: 🔆 Fraud will continue to rise, driven by increased availability of consumer data on the #darkweb 🔆 Financial institutions are expected to adopt #centralized platforms for fraud and identity risk management to enhance efficiency and reduce losses 🔆 Advanced AI tools and real-time #payments systems will remain key focus areas for fraud mitigation strategies. These findings emphasize the need for a multi-layered approach to fraud prevention, prioritizing identity verification, AI-driven analytics, and real-time interdiction

India's financial sector is a powerhouse driving economic growth. However, a report by RBI raises a concerning trend: a surge in cyberattacks targeting these institutions. With over 13 lakh attacks reported last year, it's clear that robust defenses and proactive management of cyber risks are critical. So, what makes Indian banks vulnerable? ❗ Rapid technological adoption: While embracing innovation is great, the rush to implement new technologies, like cloud computing, can create security gaps in traditional systems. ❗Increased attack sophistication: Cybercriminals are constantly evolving. Gone are the days of simple denial-of-service attacks. Today's threats involve sophisticated ransomware, exploiting software vulnerabilities and even AI-powered attacks. ❗Interconnectedness: Banks rely heavily on third-party vendors and APIs. These connections can become weak points if not properly secured. How can finance companies build stronger defenses? 1. Have Multi-Layered Security Approach 2. Have Continuous Threat Intelligence 3. Conduct Security Awareness Training 4. Secure the Supply Chain 5. Invest in Advanced Solutions 6. Integrate Security by Design 7. Implement Risk Management Framework 8. Board Level Engagement Boardroom Involvement Matters. Why? Effective cybersecurity starts at the top. Boards of directors play a crucial role in setting the strategic direction for cyber risk management. Their active involvement is essential for, 🔵 Understanding Cyber Threats: Boards need to be educated on the evolving cyber threat landscape, including the potential impact on the institution's financial stability and reputation. 🔵 Allocating Resources: Cybersecurity requires ongoing investment. Boards need to approve adequate budgets for security technologies, employee training and incident response plans. 🔵 Oversight and Accountability: Boards should establish clear expectations for cybersecurity performance and hold management accountable for implementing effective controls. For finance professionals, building cybersecurity skills is no longer optional. Here are a few ways to stay ahead of the curve, ✅ Take online courses or attend workshops: Numerous resources are available to learn about cyber threats and best practices. ✅ Stay informed on the latest attack trends: Subscribe to cybersecurity news and reports to stay vigilant. ✅ Practice good cyber hygiene: Use strong passwords, be cautious with email attachments and report suspicious activity immediately. Security is a shared responsibility. By working together, financial institutions, professionals and regulators can create a more secure financial ecosystem for everyone. #bfsi #cybersecurity #cyberawareness #securitymatters #cyberattacks